Advocacy and Action

ED Interest in DATA Compliance Grows

March 2018

By&nbspMegan Schneider

In recent months, the Federal Student Aid (FSA) division of the Department of Education (ED) has taken unorthodox steps in sending to colleges and universities compliance letters regarding breach notification and information security reporting, based on unconfirmed reports of student information data breaches. Some letters were sent without prior FSA communication with the designated institutional contacts—as laid out in agreements between FSA and the involved institutions. In some cases, the compliance letters were sent directly to the president or chancellor of an institution in response to media reports of suspected breaches, without FSA first confirming with the institution the alleged breach.

These letters—copies of which have been made available by EDUCAUSE on its website—range in tone from asserting various reporting requirements that institutions must ostensibly comply with (based on actual or suspected data breaches), to reprimanding schools for alleged failures in self-reporting breaches to FSA. Further, Federal Student Aid asserts that institutions also have the responsibility to provide “immediate notification” of any and all suspected or actual breaches, even if the breach has no impact on federal student aid data. This extremely granular approach would require the most basic of incidents, such as a student needing to change a portal password due to incorrectly entering it multiple times, be reported to FSA.

Institutions Struggle to Respond

Federal Student Aid’s authority to regulate in this area is based solely on contractual provisions in its Program Participation and Student Aid Information Gateway agreements; however, such authority is not defined under federal law or regulations. As such, it’s still unclear to schools whether FSA’s authority to regulate in this space, without enacting a firmer legal or regulatory basis, actually exist.

Additionally, what FSA determines to be a “breach,” “suspected breach,” or “immediate notification” is not defined in any of these agreements, leaving institutions to attempt to define the terms on their own without any further compliance guidance from the Department of Education.

ED’s Previous Actions

As NACUBO reported in April 2017, FSA, at that time, expressed interest in adding an audit objective to the FY18 compliance supplement, issued by the Office of Management and Budget, that would evaluate institutional compliance with the Safeguards Rule of the Gramm-Leach-Bliley Act. While the GLBA primarily regulates financial institutions, colleges and universities are subject to some of its provisions—including the Safeguards Rule—due to their involvement in financial lending activities.

The Safeguards Rule governs the protection of student financial information by requiring institutions to maintain data security and risk management plans to prevent breaches from occurring, but also to ensure quick action to mitigate damage should breaches occur. While schools must comply with the rule, the related proposed audit objective has yet to be officially implemented and no new guidance or documentation was ever issued by ED that would enable compliance with such an objective.

In a January 2018 update from the senior adviser for cybersecurity at Federal Student Aid, ED released a cybersecurity compliance FAQ, which reminded institutions that the Student Aid Internet Gateway Agreement requires that institutions “report actual data breaches, as well as suspected data breaches, on the day that a data breach is detected or even suspected.” The document further states, “ED has the authority to fine institutions—up to $54,789 per violation, per 34 C.F.R. § 36.2—that do not comply with the requirement to self-report data breaches.” The FAQ also reminds institutions that starting in FY18, they will be audited on effectiveness in securing student information. ED’s guidance, along with the FY18 audit language, is posted on its Cybersecurity Compliance Web page (https://ifap.ed.gov/eannouncements/Cyber.html), where additional resources are also available.

Advocacy in Progress

EDUCAUSE has responded to FSA’s latest compliance letters by sending a letter to newly appointed FSA Chief A. Wayne Johnson. In the letter, EDUCAUSE asserts its support of FSA’s attempts to develop and enforce data security regulations, but urges Federal Student Aid to work with the higher education community to develop a more reasonable and well-documented plan to address concerns about data privacy, and at the same time, be suitable for many different institution types. The letter also asked that FSA consider schools’ individual concerns about the private information that they are being asked to provide the department, without any guarantee of FSA’s own ability to keep this information secure and confidential.

NACUBO is supporting EDUCAUSE’s efforts in this space, and is working with its team to advocate for reasonable and established guidelines to ensure that student information is safeguarded at colleges and universities.

For more information and for compliance resources, visit www.nacubo.org and under the “Topics” tab click on “Other Business Areas” and then “Privacy and Intellectual Property.” EDUCAUSE also has an Information Security Guide that can be accessed on its website at https://tinyurl.com/ydh5xbmj.

NACUBO and EDUCAUSE are advocating for reasonable and established guidelines to ensure student information is safeguarded.

Changes on the Horizon – Is Your Institution Ready?

Over the past several months, federal regulators and the European Union have repealed and adopted laws that will change key information technology operations at colleges and universities. Because of these changes, institutions should be prepared to comply with new regulations and assess their impacts on campus. NACUBO will continue to advocate on behalf of colleges and universities to ensure that new regulations are reasonable and not unduly burdensome.

In addition to these issues, other IT changes to watch include:

Net neutrality. On Dec. 14, 2017, the Federal Communications Commission (FCC) voted to repeal Obama-era net neutrality protections. Prior to the vote, NACUBO joined the American Council on Education, EDUCAUSE, and other higher education associations expressing opposition to the change. Following the FCC vote, various public interest groups and attorneys general from 21 states and the District of Columbia filed suit to block the new rules.

Safeguards Rule. To protect student information, colleges and universities are required to comply with the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). By existing law and regulation, the Federal Trade Commission is the Safeguards Rule enforcement agency. However, NACUBO learned last year that the Department of Education has proposed adding a GLBA compliance check to the audit requirements for the student financial assistance cluster under the Single Audit Act.

New European Union general data protection regulations. U.S. institutions with European Union–based operations or significant numbers of EU residents as students—for example, those that deliver distance education programs to such students within the EU—should be prepared to implement GDPR-compliant practices starting on May 25, 2018.